The Year of the Car Hacks

With the summer’s big security conferences over, now is a good time to take a look back on automotive security. With talks about attacks on Chrysler, GM and Tesla, and a whole new Car Hacking village at DEF CON, it’s becoming clear that autosec is a theme that isn’t going away.

Up until this year, the main theme of autosec has been the in-vehicle network. This is the connection between the controllers that run your engine, pulse your anti-lock brakes, fire your airbags, and play your tunes. In most vehicles, they communicate over a protocol called Controller Area Network (CAN).

An early paper on this research [PDF] was published back in 2010 by The Center for Automotive Embedded Systems Security,a joint research effort between University of California San Diego and the University of Washington. They showed a number of vulnerabilities that could be exploited with physical access to a vehicle’s networks.

A number of talks were given on in-vehicle network security, which revealed a common theme: access to the internal network gives control of the vehicle. We even had a series about it here on Hackaday.

The response from the automotive industry was a collective “yeah, we already knew that.” These networks were never designed to be secure, but focused on providing reliable, real-time data transfer between controllers. With data transfer as the main design goal, it was inevitable there would be a few interesting exploits.

Continue reading “The Year of the Car Hacks”

Modified Mower Hacks the Heavy Stuff

Clearing brush is no fun. Sure, swinging a machete on a hot, humid day sounds great, but when you’re sitting in an oatmeal bath the next day because you didn’t see the poison ivy, you’ll be looking for a better way. [RoboMonkey] did just that with a field-expedient brush trimmer that’s sure to help with his chores.

This is a hack in the true Junkyard Wars sense of the word. A cast-off electric push mower deck caught [RoboMonkey]’s eye, and a few spare brackets and bolts later his electric hedge trimmer was attached across the front of the mower. With a long extension cord trailing behind, he was able to complete in 10 minutes what would normally take him an hour to accomplish, without spending a dime on either a specialized brush cutter or a landscaping service. The video after the break reveals that it may not be the most powerful tool in the shed, and it won’t likely stand up to daily use, but for this twice a year chore, it’s more than sufficient. And since the hedge trimmer wasn’t modified, it’s still available for its original purpose. Reduce, reuse, recycle – and repurpose.

While we haven’t seen many brush cutters before, we seen plenty of mower mods. From LiPo electrics to a gas-powered RC unit, the common push-mower seems to be a great platform for all kinds of hacking.

Continue reading “Modified Mower Hacks the Heavy Stuff”

I2C Hacks: How to Splice Clocks into Chip-Selects

There comes a time when you need to wire up three, four, or more identical i2c devices to a common microcontroller. Maybe you’re thinking about driving 128 seven-segment displays with eight of those MAX6955 16-way digit drivers, or maybe you have a robot full of joints–each of which needs a BNO055 inertial sensor for angle estimation. (See above.) Crikey! In both of those cases, you’re best bet might be a schnazzy I²C device that can do most of the work for you. The problem? With a single I²C bus, there’s no standard way defined in the protocol for connecting two or more devices with the same address. Shoot! It would’ve been handy to wire up three BNO055 IMUs or eight MAX6955s and call it a day. Luckily, there’s a workaround.

We’ve seen some clever tricks in the past for solving this problem. [Marv G‘s] method involves toggling between a device’s default and alternate address with an external pin. This method, while clever, assumes that the device (a) has an alternate I²C address and (b) features an external pin for toggling that address.

I’ll introduce two additional methods for getting the conversation started between your micro’ and your suite of identical sensors. The first is “a neat trick,” but somewhat impractical for widespread use. The second is far more  production-worthy–something you could gloat over and show off to your boss! Without further ado, let’s get started with Method 1.

Lastly, if you’d like to follow along, feel free to check out the source code on Github.

The Test Setup:


In both methods, I’m using the same sensor setup to check that each circuit behaves correctly. I happened to have a bunch of extra BMA180s on the bench, so I rolled out an example based on these chips. Back in the day, the BMA180 was a pretty common three-axis digital accelerometer. It has an I²C interface with two optional addresses. For the purpose of this example, I’m fixing them all with the same address.  I’ve mounted three of these guys on mutually perpendicular axes of my acrylic “test cube,” and I’m reading each chip’s Z-axis. In this configuration I can easily pick out the gravity vector from the corresponding sensor as the data goes flying by my serial port window. If I can uniquely address each sensor and read the data, I’ve got a working circuit.

Method 1: Splicing Clocks into Chip-Selects

This method tips its hat towards SPI in that it behaves in an oddly similar fashion. If you’re feeling rusty on SPI, here’s a quick recap.

A Quick SPI Refreshment:

SPI, like I²C, is another protocol that shares both its clock and data lines with multiple slave devices. The difference, though, lies in the addressing scheme to talk to these devices that share the same bus. With SPI, while clock and data lines are shared, devices are addressed with separate chip-select (CS) lines.

Image Source: Wikipedia

The master microcontroller dedicates a unique output pin to each device (~SS1, ~SS2, and ~SS3 in this illustration). When the master micro’ wants to talk to a device, it asserts that device’s chip-select input pin by pulling it to logic LOW, and the conversation begins over the data bus. With the chip select LOW, the corresponding slave listens to the data on the bus. Meanwhile, all other devices ignore the conversation between the master and it’s chosen slave by keeping their bus pins in a high impedance state.

Giving I²C Its Own Chip-Selects:

With I²C, Clock (SCL) and Data (SDA) lines are still shared between all I2C slave devices, but the addressing scheme happens by sending a message heard by all devices on the bus. To single out one device on the shared bus, the master first passes down the address of the slave device it wants to talk to, after which that slave replies with an ACKnowledge, and all other slaves ignore the data that follows until both data transmission is complete and the bus is “released.”


Because we have the problem of multiple devices with shared addresses, in theory, all of these devices would reply when the master passes down their shared address, and there’s no way for the master to single out a single device. In reality, this behavior is undefined on the I²C protocol.


Yikes! Anything goes when we wander away from defined behavior, so we try to avoid these things in practice.

The solution?

According to the I²C spec, It just so happens that an I²C slave device will ignore changes on the data line (SDA) provided that the clock line (SCL) is held high. In this method, I’ll “split” the SCL line into multiple SCL lines such that each shared I²C device gets its own SCL. By selectively rerouting the clock to each I²C device one-at-a-time, I’ve essentially turned the SCL line into a “chip select.”

To chop up that clock line, I’ll need a demultiplexer. A demultiplexer (or decoder) takes a logical input and reroutes it to one of several outputs based on the binary select lines.

I’ve dropped in the 74AC11138 eight-way demultiplexer for this task. It’s fast, capable of switching at megahertz rates, and its outputs default to logic HIGH. That second note is handy since idle SCL lines also default to logic HIGH.

The setup is shown in a simplified schematic above. In it, I’m using a Teensy 3.0 posing as the I²C bus master. To the right of the Teensy is the collection of identical chips, BMA180 accelerometers in this case. In the middle is the 74AC11138 eight-way demultiplexer.

Cons of this Method:

There’s a minor drawback with this technique, though, in that it doesn’t support I²C’s clock-stretching feature. Taking a step back, this method assumes that the SCL line is inherently unidirectional, controlled by only the I²C bus master. In other words, we’re making the assumption that data on the SCL line is only sent from master to slave and never the other way around. If your I²C slave devices implement clock-stretching, however, this assumption breaks down.

What is Clock Stretching?

Clock stretching is a method defined by the I²C protocol where the chip needs to “buy itself more time” and holds the SCL line low, hence, signalling to the master that it’s not ready for the upcoming data. In this scenario, the slave actively controls the SCL line, and it happens to be the only case where data moves up the SCL line from slave to master. In a setup with our demultiplexer between the master and our set of identical slaves, these slaves won’t be able to send back the clock-stretching signal to the master to indicate that they aren’t ready for data, if they happen to implement clock stretching. That said, clock stretching is a pretty rare feature among I²C-compatible devices, so this method is likely to work among a number of chips out now.

More Next Week

That’s all for Method 1. Thanks for tuning in, and check back next week for a slightly-more-professional method of tackling this same problem.

Hacklet 57 – CNC Hacks

Everyone’s first microcontroller project is making an LED blink. It’s become the de-facto “Hello World” of hardware hacking.  There’s something about seeing wires you connected and the code you wrote come together to make something happen in the real world. More than just pixels on a screen, the LED is tangible. It’s only a short jump from blinking LEDs to making things move. Making things move is like a those gateway drug – it leads to bigger things like robots, electric cars, and CNC machines. Computer Numerical Control (CNC) is the art of using a computer to control movement. The term is usually applied to machine tools, which cut, engrave, or perform other operations on wood, plastic, metal and other materials. In short, tools to make more things. It’s no surprise that hackers love CNCs. This week’s Hacklet is all about some of the best CNC projects on!

charliexWe start with [Charliex] and Grizzly G0704 CNC Conversion. [Charliex] wanted a stout machine capable of milling metal. He started with a Grizzly  G0704, which is small compared to a standard knee mill, but still plenty capable of milling steel. [Charliex] added a Flashcut CNC conversion kit to his mill. While they call them “conversion kits” there is still quite a bit of DIY ingenuity required to get a system like this going. [Charliex] found his spindle runout was way out of spec, even for a Chinese mill. New bearings and a belt conversion kit made things much smoother and quieter as well. The modded G0704 is now spending its days cutting parts in [Charliex’s] garage.


makesmithNext up is [brashtim] with Makesmith CNC. Makesmith was [brashtim’s] entry in the 2014 Hackaday prize. While it didn’t win the prize, Makesmith did go on to have a very successful Kickstarter, with all the machines shipping in December of 2014. The machine itself is unorthodox. It uses closed loop control like large CNC machines, rather than open loop stepper motors often found in desktop units. The drive motors are hobby type servos.  We’re not talking standard servos either – [brashtim] picked microservos. By using servos, common hardware store parts, and laser cut acrylic, [brashtim] kept costs down. The machine performs quite well though, easily milling through wood, plastic, foam, and printed circuit boards.


reactronNext we have [Kenji Larsen] with Reactron material processor: Wireless CNC mill. [Kenji] started with a  Shapeoko 2, and gave it the Reactron treatment. The stock controller was replaced with a Protoneer shield, which is connected to the Reactron network via a HopeRF radio module. The knockoff rotary tool included with the kit was replaced with a DeWalt DW660 for heavy-duty jobs, or a quieter Black and Decker RTX-6. A tool mounted endoscope keeps an eye on the work. [Kenji] mounted the entire mill in a custom enclosure of foam and Roxul insulation. The enclosure deadens the sound, but it also keeps heat in. [Kenji] plans to add a heat exchanger to keep things cool while maintaining relative quiet in his shop.

cnc2Finally we have a [hebel23] with DIY Multiplex Plywood CNC Router. [hebel23] wanted to build a big machine within a budget – specifically a working area of  400 x 600 x 100 mm and a budget of 800 Euro. As the name implies, [hebel23] used birch plywood as the frame of his machine. He chose high quality plywood rather than the cheap stuff found in the big box stores. This gives the machine a stable frame. The moving components of the machine are also nice – ball screws, linear bearings, and good stepper controllers. The stepper motors themselves are NEMA-23 units, which should give the CNC plenty of power to cut through wood, plastic, and even light cuts on metal. [hebel23] spent a lot of time on the little details of his CNC, like adding an emergency stop switch, and a wire-chain to keep his gantry control wires from ending up tangled up in the work piece. The end result is a CNC which would look great in anyone’s workshop.

If you want more CNC goodness, check out our brand new CNC project list! Did I miss your project? Don’t be shy, just drop me a message on That’s it for this week’s Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of!

Hacklet 56 – Brain Hacks

The brain is the most powerful – and least understood computer known to man. For these very reasons, working with the mind has long been an attraction for hackers, makers, and engineers. Everything from EEG to magnetic stimulus to actual implants have found their way into projects. This week’s Hacklet is about some of the best brain hacks on!

teensy-bio[Paul Stoffregen], father of the Teensy, is hard at work on Biopotential Signal Library, his entry in the 2015 Hackaday Prize. [Paul] isn’t just hacking his own mind, he’s creating a library and reference design using the Teensy 3.1. This library will allow anyone to read electroencephalogram (EEG) signals without having to worry about line noise filtering, signal processing, and all the other details that make recording EEG signals hard. [Paul] is making this happen by having the Teensy’s cortex M4 processor perform interrupt driven acquisition and filtering in the background. This leaves the user’s Arduino sketch free to actually work with the data, rather than acquiring it. The initial hardware design will collect data from TI ADS129x chips, which are 24 bit ADCs with 4 or 8 simultaneous channels. [Paul] plans to add more chips to the library in the future.


bioxNext up is [Jae Choi] with Lucid Dream Communication Link. [Jae] hopes to create a link between the dream world and the real world. To do this, they are utilizing BioEXG, a device [Jae] designed to collect several types of biological signals. Data enters the system through several active probes. These probes use common pogo pins to make contact with the wearer’s skin. [Jae] says the active probes were able to read EEG signals even through their thick hair! Communication between dreams and the real world will be accomplished with eye movements. We haven’t heard from [Jae] in awhile – so we hope they aren’t caught in limbo!

bioloop[Qquuiinn] is working from a different angle to build bioloop, their entry in the 2015 Hackaday Prize. Rather than using EEG signals, [Qquuiinn] is going with Galvanic Skin Response (GSR). GSR is easy to measure compared to EEG signals. [Qquuiinn] is using an Arduino Pro Mini to perform all their signal acquisition and processing. This biofeedback signal has been used for decades by devices like polygraph “lie detector” machines. GSR values change as the sweat glands become active. It provides a window into a person’s psychological or physiological stress levels. [Qquuiinn] hopes bioloop will be useful both to individuals and to mental health professionals.

biomonitorFinally we have [Marcin Byczuk] with Biomonitor. Biomonitor can read both EEG and electrocardiogram (EKG) signals. Unlike the other projects on today’s Hacklet, Biomonitor is wireless. It uses a Bluetooth radio to transmit data to a nearby PC or smartphone. The main processor in Biomonitor is an 8 bit ATmega8L. Since the 8L isn’t up to a lot of signal processing, [Marcin] does much of his filtering the old fashioned way – in hardware. Carefully designed op-amp based active filters provide more than enough performance when measuring these types of signals. Biomonitor has already found it’s way into academia, being used in both the PalCom project, and brain-computer interface research.

If you want more brain hacking goodness, check out our brain hacking project list! Did I miss your project? Don’t be shy, just drop me a message on That’s it for this week’s Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of!

Hacklet 53 – Quick Tool Hacks

They say necessity is the mother of invention. Have you ever been right in the middle of a project, when you realize that you could hack up a simple tool which would make your current task easier? Maybe it’s a coil winder, or a device to hold .100 headers straight in their holes. Faster than you can say “Arabian Nights”, you’re working on a project within a project. It might not be pretty, but it gets the job done. This week’s Hacklet is all about quick tool hacks – little projects that help out around the shop or hackerspace.

lampieWe start with [theonetruestickman] and Magnificent Magnifier LED Coversion. [theonetruestickman] picked up an articulated magnifier lamp at Goodwill for $4. These lamps are a staple of benches everywhere. The only problem was the switch and fluorescent tube were both failing. [theonetruestickman] didn’t feel bad for the lamp though. He pulled out the tube, ballast, and starter, replacing them with LEDs. He used 12 V 3 watt LED modules to replace the tube. Three modules provided plenty of light. An old wall wart donated its transformer to the effort. Since these LED modules are happy running on AC, no bridge rectifier was necessary. The modernized lamp is now happily serving on [theonetruestickman’s] workbench.

toolNext up is [Kwisatz] with Pick Up tool hack. [Kwisatz] is a person of few words. This whole project consists of just two words. Specifically, “syringe” and “spring”. Thankfully [Kwisatz] has provided several pictures to show us exactly what they’ve created. If you’ve ever used one of those cheap pickup tools from China, you know [Kwisatz’s] pain. The tiny piece of surgical tube inside the tool creates a feeble vacuum. These tools only hold parts for a few seconds before the vacuum decays enough to drop the part. [Kwisatz] kept the tip of the tool, but replaced the body with a syringe. A spring is used to create just the right amount of vacuum to hold parts on while they are being placed.

fume[Dylan Bleier] made his shop air a bit safer to breathe with a simple fume extractor for $20. Solder and flux create some nasty smoke when heated. Generally that smoke wafts directly into the face of the hacker peeking at the 0402 resistor they are trying to solder. A bit of smoke once in a while might not be so bad, but over the years, the effects add up. [Dylan] used two 120V AC bathroom fans, some metal ducting, plywood, and a bit of time to make this fume extractor. [Dylan] is the first to say it’s not UL, CE, or ROHS compliant, but it does get the job done. He even added a screen to keep bugs from flying in from the outdoor exhaust port.

helix[ftregan] needed to wind a helical coil for an antenna, so he built Helix Winder. Helices are essentially springs, so that should be easy, right? Turns out that making a nice uniform helix is not the easiest thing in the world. The helix winder is a jig which makes winding these special coils much easier. Holes are drilled at a specific angle in a wooden block. The wire is fed through that block and rolled onto an aluminum tube. Rotating the block on the tube forces the wire into the helix shape. The only downside is that each winder is only good for once dimension of helix.

I’ve noticed that some of these quick hacks don’t get as much love as they deserve over on So if you notice a cool hack like this, drop a comment and give the project a skull. If you want to see more of these hacks, check out our new quick tool hacks list! See a project I might have missed? Don’t be shy, just drop me a message on That’s it for this week’s Hacklet, As always, see you next week. Same hack time, same hack channel, bringing you the best of!

PicoRico Hacks String Encoder for Bike Suspension Telemetry

It’s simple, it’s elegant, and it works really really well. The PicoRico team built a telemetry system for a downhill bike. Off the top of your head how would you do this? Well, telemetry is easy… just add an IMU board and you’re golden. They went beyond that and have plans to go much further. In fact, the IMU was an afterthought. The gem of this build is a sensor that may go by several names: string encoder, draw wire sensor, stringpot, etc. But two things are for sure, they planned well for their hackathon build and they executed on that plan. This landed them as first-runners-up for the top award at the 2015 Disrupt Hackathon in New York, and the winners of the top Hackaday award at the event.

picorico-thumb[Chris], [Marek], and [Dorian] wanted to log all the telemetry data from [Chris’] downhill bike. One of the biggest challenges is to measure the force absorbed by the suspension on the front fork. The three had seen a few attempts at this before. Those used a retractable wire like what holds keys to a custodian’s belt, mated with a potentiometer to measure the change. This is where the term stringpot comes from. The problem is that your resolution and sensitivity aren’t very reliable with this setup.

That is a sensor problem, not a mechanical problem so they kept the retractable reel and replaced the pot with a much more reliable part. In its place an AMT203 absolute position sensor provides an epic level of sensing. According to the datasheet (PDF) this SPI device senses 12 bits of rotation data, can be zeroed over the SPI bus, and is accurate to 0.2 degrees. Unfortunately we didn’t get a good up-close shot of the installation but it is shown in the video. The encoder and retractor mount above the shocks, with the string stretching down to the skewer. When the shocks actuate, the string extends and retracts, turning the absolute encoder. Combine this with the IMU (and two other IMUs they plan to add) and you’ve got a mountain of data to plot and analyze. The videos after the break show a demo of the string encoder and an interview with the team.

picorico-packing-heavyThey came to play

It’s worth noting that the PicoRico team were in this to win it. They packed heavy for the 20-hour hackathon. Here’s a picture of all the gear they brought along with them to the event… in addition to the bike itself.

We see a solder station, Dremel (with drill press), impact driver, tap and die set, extension cords, boxes full of electronics, and more. This type of planning breaks down barriers often faced at hardware hackathons. You can download a software library; you can’t download a tool or building material that nobody has with them. This is the same lesson we learned from [Kenji Larsen] who, as part of his mentoring at the event, brought a mobile fabrication facility in a roller bag.

If you start getting into hackathons, and we hope you will, keep this in mind. Brainstorm as much as you can leading up to the event, and bring your trusted gear along for the ride.

Continue reading “PicoRico Hacks String Encoder for Bike Suspension Telemetry”